RE: Hacking Terraform State for Privilege Escalation



An interesting attack vector which uses empty terraform providers and a modified state file to execute code!

There’s lots to be excited about as a red teamer and scared of as a blue teamer, but at the top of the list is that the attack does not require a “terraform apply”. Even if the human reviewing this plan doesn’t approve it, the code has already executed.

— Daniel Grzelak

Read the full article on


Leave a Reply